Sean Parkinson
59f84355a5
Merge pull request #9573 from night1rider/aes-free-callbacks
...
Aes Free callback support
2025-12-23 08:47:05 +10:00
Sean Parkinson
c8f2cc5b43
Merge pull request #9566 from dgarske/ca_skid_cert_akid
...
Added build option to allow certificate CA matching using AKID with signers SKDI
2025-12-23 08:40:14 +10:00
Anthony Hu
cb2a80bf53
Guard a bit of DTLS code.
2025-12-22 17:05:47 -05:00
night1rider
afbc65a6c3
Aes Free callback support
2025-12-22 12:39:41 -07:00
Kareem
8de470b436
Add new WOLFSSL_RNG_USE_FULL_SEED macro to known macros.
2025-12-22 11:49:27 -07:00
Kareem
fe45b74921
Add trailing newline back to ssl.h.
2025-12-22 11:45:25 -07:00
Mattia Moffa
ca78994298
Add missing length check in sniffer for AES-GCM/AES-CCM/ARIA-GCM
2025-12-22 16:13:27 +01:00
Marco Oliverio
29d8fa7cb6
tls13: fix indentation alignment
2025-12-22 13:45:34 +01:00
Marco Oliverio
540fae80ab
test_dtls: test payload split when WOLFSSL_NO_DTLS_SIZE_CHECK
2025-12-22 13:41:33 +01:00
Marco Oliverio
8cbc4047df
internal: rename to use wolfssl internal prefix
2025-12-22 13:41:33 +01:00
Marco Oliverio
aa4fb5d3e5
internal: GetMaxPlainTextSize: precise pad size when adjusting for MTU
2025-12-22 13:41:33 +01:00
Marco Oliverio
1200efdeb3
internal: GetRecordSize: precise header computation on fallback path
2025-12-22 13:41:33 +01:00
Marco Oliverio
75e7d5e9bd
fix: split message > MTU on WOLFSSL_NO_DTLS_SIZE_CHECK
2025-12-22 12:49:31 +01:00
Sean Parkinson
da06e1aeea
Merge pull request #9558 from kareem-wolfssl/zd20944_2
...
Move Curve25519 public key check to make_pub/make_pub_blind to cover the case where they are called directly by an application.
2025-12-22 19:38:42 +10:00
Sean Parkinson
7a326ef43f
Merge pull request #9553 from julek-wolfssl/ed25519-export-key-check
...
ed25519: validate presence of keys in export functions
2025-12-22 19:31:14 +10:00
Marco Oliverio
14b124769a
use wolfssl internal prefix for MaybeCheckAlertOnErr
2025-12-22 10:04:50 +01:00
Marco Oliverio
12c2cdafaf
rename wolfSSL_MaybeCheckAlertOnErr in wolfMaybeCheckAlertOnErr
2025-12-22 09:51:06 +01:00
Marco Oliverio
f4c48c19c1
fix: abide unused arguments when WOLFSSL_CHECK_ALER_ON_ERR is disabled
2025-12-22 09:51:06 +01:00
Marco Oliverio
38d8eb6f0d
address reviewer's comments
2025-12-22 09:51:06 +01:00
Marco Oliverio
950c074c25
test: fix typo in structure field
2025-12-22 09:51:06 +01:00
Marco Oliverio
8de68decd2
test: tls13_early_data: test WANT_WRITE in early data
2025-12-22 09:51:06 +01:00
Marco Oliverio
609e30a69c
test: tls13_early_data: refactor splitEarlyData test option
2025-12-22 09:51:06 +01:00
Marco Oliverio
57282140a9
WOLFSSL_CHECK_ALERT_ON_ERR: ignore non fatal errors
2025-12-22 09:51:06 +01:00
Marco Oliverio
093d77727b
early_data: avoid resetting ssl->earlyData after WANT_WRITE retry
2025-12-22 09:51:06 +01:00
Marco Oliverio
a1c8790039
wolfssl: preserve early-data handling across WANT_WRITE retries
...
The early-data logic setups "early" exits in Accept/Connect state machine so
that the data exchanged during the handshake can be delivered to the
caller.
After the caller process the data, it usually calls Accept/Connect again
to cotinue the handshake.
Under non-blocking I/O there is the chance that these early exits are
skipped, this commit fixes that.
Server-side accept (TLS 1.3/DTLS 1.3) could skip the early-data shortcut
whenever sending the Finished flight first hit WANT_WRITE: when Accept
is called again and the data is eventually flushed into the I/O layer
the accept state is advanced past TLS13_ACCEPT_FINISHED_SENT, so the
next wolfSSL_accept() call skipped the block that marks
SERVER_FINISHED_COMPLETE and lets the application drain 0-RTT data. By
keeping the FALL_THROUGH into TLS13_ACCEPT_FINISHED_SENT and only
returning early while that handshake flag is still unset, we revisit the
shortcut immediately after the buffered flight is delivered, preserving
the intentional behaviour even under non-blocking I/O.
On the client, the same pattern showed up after SendTls13ClientHello()
buffered due to WANT_WRITE: after flushing, the connect state is already
CLIENT_HELLO_SENT so the early-data exit is no longer executed. We now
fall through into the CLIENT_HELLO_SENT case and only short-circuit once
per handshake, ensuring the reply-processing loop still executes on the
retry.
2025-12-22 09:51:05 +01:00
Hideki Miyazaki
fc583d068f
add SK-S7G2 support
...
Update README based on copilot suggestion
2025-12-20 10:32:09 +09:00
Kareem
adf38007f4
Document wolfSSL_CTX_New's behavior on failure around WOLFSSL_METHOD.
...
Fixes #9517 .
2025-12-19 17:19:45 -07:00
Kareem
ac98505204
Document wolfSSL_CTX_set_default_passwd_cb and wolfSSL_CTX_set_default_passwd_cb_userdata.
...
Fixes #6008 .
2025-12-19 17:18:45 -07:00
Kareem
7c4feb5e87
Improve the error message returned by BAD_KEY_SHARE_DATA.
...
Fixes #9084 .
2025-12-19 17:17:33 -07:00
Kareem
5b473f6b9b
Add SSL_get_rfd and SSL_get_wfd.
...
Fixes https://github.com/wolfSSL/wolfssl-nginx/issues/25 .
2025-12-19 17:16:35 -07:00
Kareem
b6766106c8
Add documentation for Base16_Encode and Base64_Encode's behavior of adding a NULL terminator byte.
...
Fixes #5602
2025-12-19 17:15:44 -07:00
Kareem
a1999d29ed
Only enforce !NO_FILESYSTEM for WOLFSSL_SYS_CA_CERTS on non Windows/Mac systems.
...
wolfSSL's support for WOLFSSL_SYS_CA_CERTS uses APIs which don't depend on !NO_FILESYSTEM
on Windows/Mac.
Fixes #8152 .
2025-12-19 16:37:50 -07:00
JacobBarthelmeh
0a0c43054f
Merge pull request #9564 from douzzer/20251219-fixes
...
20251219-fixes
2025-12-19 16:24:20 -07:00
Kareem
3e59b83727
Only keep /dev/urandom open, close /dev/random after each use.
...
Improve logic for opening RNG seed FD.
2025-12-19 15:57:49 -07:00
Kareem
fe105d4b48
Add a flag which allows requesting exactly SEED_SZ and using the full seed to instantiate the DRBG during RNG init.
...
This flag can not be used with FIPS.
2025-12-19 15:25:15 -07:00
David Garske
1cb2231ff5
Added build option to allow certificate CA matching using AKID with signers SKID ( WOLFSSL_ALLOW_AKID_SKID_MATCH). Fixed issue with cert->extAuthKeyIdSz not being set with ASN template code.
2025-12-19 14:14:39 -08:00
Daniel Pouzzner
a7550346dd
wolfcrypt/test/test.c: in rng_seed_test(), fix gates for FIPS 5.2.4.
2025-12-19 15:50:27 -06:00
Daniel Pouzzner
d3f74557fe
wolfcrypt/src/wolfentropy.c: add volatile attribute to entropy_memuse_initialized declaration; in wc_Entropy_Get(), if HAVE_FIPS, call Entropy_Init() if necessary, to accommodate FIPS KATs; in Entropy_Init(), add thread safety.
2025-12-19 15:45:17 -06:00
JacobBarthelmeh
d5723d0d89
Merge pull request #9544 from julek-wolfssl/gh/9362
...
Check KeyShare after HRR
2025-12-19 14:36:31 -07:00
David Garske
1825bd86f5
Merge pull request #9550 from JacobBarthelmeh/caam
...
sanity checks on buffer size with AES and CAAM Integrity use
2025-12-19 11:03:40 -08:00
JacobBarthelmeh
d26c11c626
Merge pull request #9551 from josepho0918/iar
...
Add IAR support to WC_OFFSETOF macro
2025-12-19 11:36:33 -07:00
JacobBarthelmeh
8153ea6189
Merge pull request #9559 from cconlon/pkcs7SignedNonOctet
...
Fix PKCS#7 SignedData parsing for non-OCTET_STRING content types
2025-12-19 11:12:06 -07:00
Daniel Pouzzner
6f95a9c58e
wolfcrypt/src/random.c: in _InitRng(), remove "drbg_instantiated" conditional cleanup logic (Coverity true-benign-positive: DEADCODE because drbg_instantiated is always false when ret != DRBG_SUCCESS).
2025-12-19 10:30:14 -06:00
Daniel Pouzzner
fb26b2dfe1
wolfcrypt/test/test.c: in HMAC tests, initialize ret, to silence uninitvar from cppcheck-force-source.
2025-12-19 09:07:14 -06:00
Daniel Pouzzner
96c47cd18c
wolfcrypt/test/test.c: in _rng_test(), inhibit the WC_RESEED_INTERVAL subtest if an rng callback is installed.
2025-12-19 08:55:35 -06:00
Juliusz Sosinowicz
dd35f10b57
ed25519: validate presence of keys in export functions
2025-12-19 10:14:26 +01:00
JacobBarthelmeh
a3072c7a8d
fix for shadows global declaration warning
2025-12-18 17:18:39 -07:00
Chris Conlon
afe82b9512
Fix PKCS#7 degenerate detection based on signerInfos length
2025-12-18 16:28:03 -07:00
Chris Conlon
d6dcd30736
Fix PKCS#7 streaming for non OCTET STRING content types
2025-12-18 16:28:01 -07:00
JacobBarthelmeh
bbc3a72ea8
Merge pull request #9556 from julek-wolfssl/rng-tools-timeout-fix
...
rng-tools: increase jitter timeout
2025-12-18 15:59:42 -07:00